search

weserv / images

Source code of wsrv.nl (formerly images.weserv.nl), to be used on your own server(s).
https://wsrv.nl/
BSD 3-Clause "New" or "Revised" License
1.84k stars 188 forks source link

How to block https://wsrv.nl ? #401

Closed paul-uz closed 3 months ago

paul-uz commented 6 months ago

We would like to entirely block the usage of https://wsrv.nl/ linking our images on other sites.

We have implemented an IP block already, but some images have already been cached; how can we get the cached images removed?

Also, I noticed the query param errorredirect - how can we effectively stop that from being useful? We've blocked wsrv.nl, and would want to stop the redirect happening as well.

andrieslouw commented 6 months ago

It's hard to stop the errorredirect, as it seems to be working as intented. Please let us know why exactly we'd need to block, and we'll look into it. Normally our service would prevent your servers from getting too many requests.

paul-uz commented 6 months ago

We want to try and block initial attempts at hotlinking images as they are the IP of our clients. Various Chinese sites are using your service to hotlink the images. By blocking your service initially, a cached copy of the image can never be created.

kleisauke commented 6 months ago

Hotlink protection (based on the HTTP referer header) can be easily bypassed these days with a referrerpolicy of no-referrer, which can be set on the HTML document with:

<meta name="referrer" content="no-referrer" />

Or on specific images with:

<img src="https://example.com/images/myimage.jpg" referrerpolicy="no-referrer">

Therefore, there are no plans to make the &default= / &errorredirect= query strings opt-out for some URLs.

kleisauke commented 6 months ago

Note that nowadays you could set the Cross-Origin-Resource-Policy: same-origin (CORP) header on the images you serve for enhanced hotlink protection, which is also effective even when referrerpolicy is used, see: https://exact.realty/blog/posts/2022/10/09/hotlink-protection-in-2022/

I assumed that using the &default= / &errorredirect= query strings implies referrerpolicy="no-referrer", but this isn't the case. It looks like the original referrer is still retained.

We have implemented an IP block already, but some images have already been cached; how can we get the cached images removed?

If you want, you can send us an email with the images that are affected and need to be purged from cache.

kleisauke commented 3 months ago

I hope this information helped. Please feel free to re-open if questions remain.

how can we get the cached images removed?

Let's track this at #14.